The $5 billion fine levied against Facebook by the Federal Trade Commission is certainly headline news, but it also contains detailed requirements for privacy and information security governance and accountability that all companies can learn from and implement.
Big Picture Takeaways:
- Facebook faces many detailed requirements for internal and external governance and oversight with extensive reporting requirements
- Some requirements providing Facebook with flexibility on compliance (e.g. length of time to delete information; exceptions from the obligation to delete)
- Several requirements specifically listing the possibility for Facebook to ask for modification of the requirement to address relevant developments that affect compliance including, but not limited to, technological changes.
– Facebook must not misrepresent:
(i) How they collect, disclose or share information;
(ii) The extent to which a consumer can control the privacy of any personal information you maintain and the steps a consumer must take to implement such controls;
(iii) The extent to which they make or have made personal information accessible to third parties;
(iv) Steps you take or have taken to verify the privacy or security protections that any third party provides;
(v) The extent to which you make or have made personal information accessible to any third party following deletion or termination of a User’s account with you or during such time as a User’s account is deactivated or suspended; and
(vi) The extent to which you they are a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any EU-US/Swiss-US Privacy Shield.
Just in Time Notices
– If Facebook is sharing personal information in a way that materially exceeds the privacy setting of the user, they must:
(1) the categories of personal information that will be disclosed to such third parties,
(2) the identity or specific categories of such third parties, and
(3) that such sharing exceeds the restrictions imposed by the privacy settings in effect for the User; and
(ii) Obtain the User’s affirmative express consent.
Deletion of Information
– Facebook must make information on servers under its control impossible to access by third parties within not more than 30 days from the time such information was deleted by a User except as required by law or where necessary to protect the Facebook website or its Users from fraud or illegal activity
– Delete or de-identify information on servers under its control within reasonable time not to exceed 120 days from the time a User deleted the information (or deleted the accounts), except:
(1) As required by law;
(2) Where necessary for the safety and security of Respondent’s products, services, and Users, including to prevent fraud or other malicious activity;
(3) Where stored solely for backup or disaster recovery purposes (subject to a retention period necessary to provide a reliable service); or
(4) Where technically infeasible given Facebook’s existing systems.
Information Security Program
– Facebook must implement and maintain a comprehensive information security program that is designed to protect the security of personal information, containing safeguards appropriate to Facebook’s size and complexity, the nature and scope of Facebook’s activities, and the sensitivity of the personal information. This should include:
(i) Not asking for email passwords to other services when consumers sign up for its services.
(ii) Encrypting user passwords and regularly scanning to detect whether any passwords are stored in plaintext; and
– Within 180 days of the order, Facebook shall establish and implement, and thereafter maintain, a comprehensive privacy program that protects the privacy, confidentiality and integrity of the Covered information collected, used or shared by Facebook. It needs to include at least:
(1) Documented Risk Assessment:
– Assess and document, at least once every twelve (12) months, internal and external risks in each area of its operation to the privacy, confidentiality or integrity of personal information that could result in the unauthorized access, collection, use, destruction or disclosure of such information.
– Further assess and document internal and external risks as described above as they relate to a data breach incident, promptly following verification or confirmation of such an incident, not to exceed thirty (30) days after the incident is verified or otherwise confirmed;
(2) Adequate Safeguards:
– Design, implement, maintain and document safeguards that control for the material internal and external risks identified in the risk assessment. Each safeguard based on the volume and sensitivity of the personal information at risk, and the likelihood that the risk could be realized and result in the unauthorized access, collection, use, destruction, or disclosure of the personal information.
– Include any known alternative procedures that would mitigate the identified risks to the privacy, confidentiality, or integrity of the personal information, but which were not implemented and each reason such procedure(s) were not implemented;
– Assess, monitor, test and modify the privacy program as necessary at least once every twelve (12) months and promptly (not to exceed thirty (30) days after in data breach incident.
Specific Safeguards for Third Parties:
(i) Require an annual self-certification by each third party that certifies: (a) its compliance with Facebook’s terms; and (b) the purpose(s) or use(s) for each type of personal information to which it requests or continues to have access, and that each specified purpose or use complies with Facebook’s terms;
(ii) Deny or terminate access to any type of personal information that the third party fails to certify or, if the third party fails to complete the annual self-certification, denying or terminating access to all personal information unless the third party cures such failure within a reasonable time, not to exceed thirty (30) days;
(iii) monitor third party compliance with Facebook’s terms through measures including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing at least once every twelve (12) months; and
(iv) Enforce against any third party violations of Facebook’s terms based solely on the severity, nature, and impact of the violation;
Specific Safeguards for New or Modified Products:
(i) conduct and document a privacy impact assessment
(ii) for new or modified products posing a material risk – also produce a written report listing:
(a) type of information to be collected, and how it will be used, retained, and shared;
(b) The notice provided to Users about, and the mechanism(s), if any,by which Users will consent to, the collection of their personal information and the purposes for which such information will be used, retained, or shared ;
(c) Any risks to the privacy, confidentiality, or integrity of the personal information;
(d) The existing safeguards that would control for the identified risks to the privacy, confidentiality, and integrity of the personal information and whether any new safeguards would need to be implemented to control for such risks; and
(v) any other known safeguards or other procedures that would mitigate the identified risks to the privacy, confidentiality, and integrity of the personal information that were not implemented, such as minimizing the amount or type(s) of personal information that is collected, used, and shared; and each reason that those alternates were not implemented;
– Not use telephone numbers obtained to enable a security feature (e.g., two-factor – authentication) for advertising;
(3) Employee training; and
(4) Procedures adopted for implementing and monitoring the privacy program, including procedures used for evaluating and adjusting the privacy program
Internal Governance Requirements
– Facebook must establish an independent privacy committee in its Board of Directors appointed by an independent nominating committee and fired only by a super-majority of the Board of Directors;
– Designate compliance officers responsible for privacy program, one of whom will be the Chief Privacy Officer for Product; to be appointed or removed only by the privacy committee. Required to issue quarterly reports to the committee, the board, and if asked, the FTC ; and
– Conduct an annual management review of the privacy program.
– Submit to FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order. False certification will subject them to individual civil and criminal penalties;
– Assess the privacy program after 180 days from the order and thereafter, every two years, by third party independent assessor who can be approved or removed by the FTC. Assessment based on the assessor’s independent fact-gathering, sampling, and testing, and not on attestations by Facebook management. Independent assessor to report directly to the new privacy board committee on a quarterly basis.
– Document incidents when data of 500 or more users has been compromised and its efforts to address such an incident, and deliver this documentation to the Commission and the assessor within 30 days of the company’s discovery of the incident.
Read the full FTC press release.